Over the past few years, China has issued a series of regulations to regulate data processing activities, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national sovereignty, security, and development interests. Businesses need to follow these 5 primary obligations when operating websites in mainland China to safely stay within the law.
In September 2000, the Chinese government released China Measures for the Administration of Internet Information Services in China, effective September 25, 2000. In 2021, the Chinese government released China DSL (Data Security Law) in China, effective on September 1, 2021. You can read the English-translated version of the China Measures for the Administration of Internet Information Services in China, and the China Data Security Law.
As is typical with the legal system in China, these rules can be relatively vague and are subject to interpretation by the enforcement authorities. In general, they regulate data processing activities, ensure data security, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, and safeguard national sovereignty, security, and development interests.
These regulations outline five primary obligations for those who operate websites in China:
1. Licensing for China
Depending on the nature of your website, whether it sells products directly or not, you may require different ICP licenses for China.
As stated in Article 3 and Article 4 of the China Measures for the Administration of Internet Information Services in China:
Internet information services are divided into two categories: commercial and non-commercial. Commercial Internet information services refer to the provision of information or web page creation and other service activities to Internet users through the Internet. Non-commercial Internet information services refer to service activities that provide open and shared information to Internet users for free through the Internet.
The state implements a licensing system for commercial Internet information services; and a filing system for non-commercial Internet information services. Those who have not obtained a license or have not performed the filing procedures shall not engage in Internet information services.
For example, a static website showcasing your business cases requires ICP Filling, and shopping and e-commerce platforms require a Commercial ICP license. If you don’t know what is the China ICP License yet, ICP stands for Internet Content Provider. An ICP certification is a permit issued at the province level by the Chinese Ministry of Industry and Information Technology (MIIT) that legally allows “any content provider” to host and operate in China. This requirement was instated in 2000 by the Telecommunications Regulations of the People’s Republic of China.
According to the Telecommunications Regulations of the People’s Republic of China, described in Article 19 of Administrative Measures on Internet-Based Information Systems:
Anyone who violates the provisions of these regulations by engaging in commercial Internet information services without obtaining a business license, or providing services beyond the permitted items, shall be ordered by the telecommunications management agency of the province, autonomous region, or municipality directly under the Central Government to make corrections within a time limit. If there is no illegal income or the illicit income is less than 50,000 yuan, a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed; if the circumstances are severe, the website shall be ordered to shut down.
Those who engage in Internet information services without obtaining a business license, or provide services beyond the permitted items, shall be ordered by the local telecommunications management agency to make corrections within a time limit.
If you are not sure which category your website falls into, we can help you identify which licenses your business requires to stay compliant with Chinese laws.
2. Establish Effective Provisions to Protect User Information
Just as in the USA and other countries, China requires you to use industry-standard safeguards to protect Personally Identifiable Information (PII). This is stated in Article 40, Chapter 4 of China Data Security Law.
3. Protect the User’s Right to Control Their Information
As clearly stated in Chapter 4 of China Data Security Law, when your website needs to collect user data, such as accessing their geographic functions, contact lists, camera, sound recording, and other such functions, you must explicitly ask and receive consent from the user.
Also, any organization or individual collecting data shall adopt legal and proper methods and shall not steal or obtain data in other illegal ways. Where laws and administrative regulations stipulate the purpose and scope of data collection and use, the data shall be collected and used within the purpose and scope specified by laws and administrative rules.
4. Data Localization
Over the past few years, China has issued a series of regulations requiring the storage of data generated by apps operating in China. As a general rule, to safely stay within the law, website operators who collect PII in China must store that information on servers within mainland China. This provides the added benefit of increased speed for local users and is a significant reason why 21YunBox offers a hosting solution for our overseas clients.
As stated in Article 31 of China Data Security Law, The outbound security management of important data collected and generated by operators of critical information infrastructure during their operations within the territory of the People’s Republic of China shall be governed by the provisions of the Cybersecurity Law of the People’s Republic of China; other data processors are located in the People’s Republic of China Measures for the security management of the exit of important data collected and generated in domestic operations shall be formulated by the national cybersecurity and informatization department in conjunction with the relevant departments of the State Council.
Cross-border data transfer requires a security assessment, government approval, and user consent, and breaking this law can lead to devastating results. In July 2022, China’s cybersecurity authority fined ride-hailing giant Didi Global more than $1 billion for breaking data security laws. The closure of a yearlong probe prevented the company from adding new users.
5. Record and Save User Log Information
As stated in Article 14 of the China Measures for the Administration of Internet Information Services in China, Internet information service providers engaged in services such as news, publishing, and electronic announcements shall record the content of the information provided and its release time, Internet address or domain name; Internet access service providers shall record the Internet access time of Internet users, user account, Internet address or domain name, calling the phone number and other information.
The backup records of Internet information service providers and Internet access service providers shall be kept for a minimum of 60 days. They shall provide when relevant state organs make inquiries in accordance with the law. Certain types of website content are also either banned – such as gambling, fake news, pornography, or political dissent – or heavily restricted in China (such as VPNs, which must receive government approval).
The Easiest Way
21YunBox has an international team headquartered in Shanghai to provide overseas companies with a simple and easy way to make your website work in China and ensure compliance with Chinese laws. Once your website is live in China, we will continue to provide localization, monetization, hosting, and other services. Contact us now to see how we can help!
